By NHI Mgmt Group Editorial TeamPublished 2026-06-29Domain: Identity Beyond IAMSource: AU10TIX

TL;DR: AMLA must submit 23 technical standards and guidelines to the European Commission by July 10, 2026, and its draft rules already validate eIDAS-compliant digital identity and the EUDI Wallet for remote onboarding, according to AU10TIX. The practical shift is from locally interpreted KYC to a harmonized EU verification model that compliance teams must prepare for now, not after the AMLR becomes applicable in 2027.


At a glance

What this is: This is an analysis of AMLA’s draft AML technical standards and the key finding is that EU identity verification is being pushed toward harmonised, risk-based onboarding rules.

Why it matters: It matters because identity verification, KYC, and compliance teams must align onboarding, due diligence, and audit evidence with a stricter EU-wide standard that will reduce local interpretation.

By the numbers:

👉 Read AU10TIX's analysis of AMLA's new KYC and identity verification standards


Context

AMLA is turning anti-money-laundering compliance from a nationally interpreted process into a more uniform EU control environment. For identity verification teams, the central issue is no longer whether KYC exists, but whether onboarding, beneficial ownership checks, and ongoing monitoring can survive a harmonised rule set that treats digital identity, assurance level, and auditability as core governance requirements.

That shift matters because verification programmes often grew around local documents, local risk appetite, and local supervisory practice. The draft standards now pull those decisions toward a common EU baseline, which creates a direct identity governance issue for regulated firms, especially where remote onboarding, third-party verification, and continuing customer due diligence intersect with AMLA’s timetable.


Key questions

Q: What should identity verification teams do when AML rules move to a harmonised EU model?

A: They should standardise onboarding, due diligence, and review workflows against the new EU baseline rather than relying on local policy variants. The key test is whether the organisation can prove consistent identity evidence, risk classification, and monitoring decisions across jurisdictions. Harmonisation turns uneven practice into a governance liability.

Q: Why do eIDAS and the EUDI Wallet matter for KYC programmes?

A: They matter because they create a recognised path for remote verification with defined assurance, which reduces dependence on fragmented local document checks. Teams still need to validate binding, source trust, and auditability before accepting those credentials in regulated workflows. Digital identity only helps if the control model around it is equally strong.

Q: How can firms tell whether their customer due diligence is actually working?

A: They should look for three signals: verification decisions are repeatable, enhanced due diligence triggers are documented and defensible, and periodic reviews happen when risk changes. If the programme cannot show when identity evidence was refreshed, it is relying on static onboarding rather than continuous governance.

Q: Who is accountable when harmonised AML identity controls fail?

A: Accountability sits with the regulated entity that owns the onboarding and due diligence decision, even when external providers supply identity evidence or verification technology. Supervisors will expect clear ownership, documented evidence, and a remediated control path before the 2027 application date. Shared tooling does not mean shared regulatory responsibility.


Technical breakdown

How AMLA converts KYC from local practice into a harmonised control model

The AMLA framework matters because it moves customer due diligence from fragmented national interpretation toward a single EU rulebook. That means firms need consistent rules for what information to collect, how to verify identity, and when simplified or enhanced checks apply. In practice, this is not just a compliance rewrite. It changes the identity control surface by making onboarding evidence, assurance level, and monitoring triggers part of one governed lifecycle rather than separate process steps. For cross-border firms, inconsistency becomes a control defect, not an operating preference.

Practical implication: map current onboarding, CDD, and review workflows to the draft RTS now so local variants do not survive into the final operating model.

Why eIDAS and the EUDI Wallet change remote onboarding assurance

The draft RTS explicitly accepts eIDAS-compliant electronic identification and future EUDI Wallet credentials for remote onboarding. That is a material shift because it allows regulated firms to rely on standardised digital identity sources rather than treating remote checks as a weaker alternative to face-to-face verification. The real governance issue is assurance consistency. If the source identity, credential binding, and attribute quality are not controlled, the process may be digitally convenient but still weak from an AML and fraud perspective. This is where identity verification and IAM intersect: trusted identity sources have to be governed like critical control inputs.

Practical implication: validate whether your IDV stack can consume eIDAS and wallet-based credentials without weakening assurance or recordkeeping.

Why ongoing monitoring is now part of identity verification, not a separate task

The RTS makes clear that customer due diligence is not a point-in-time onboarding event. Periodic reviews and dynamic enhanced due diligence triggers mean customer identity must be re-evaluated as risk changes, not just when the account opens. That matters because many programmes still treat onboarding as the main control and monitoring as a downstream exception process. Under AMLA, the lifecycle is continuous. This is the same governance pattern identity teams face in NHI and account management: trust established once is not sufficient when risk, attributes, or relationships can change over time.

Practical implication: connect onboarding decisions to ongoing review logic, trigger events, and audit trails rather than relying on static case files.


NHI Mgmt Group analysis

AMLA is effectively imposing a governance model for identity evidence, not just a compliance checklist. The draft RTS makes verification sources, assurance levels, and due diligence thresholds explicit, which reduces room for local interpretation. That is a control maturity shift, because the weakest programmes are usually the ones where process memory replaces policy. For identity verification leaders, the implication is straightforward: if evidence quality is inconsistent, the control is not harmonised enough to survive EU-wide scrutiny.

Verification trust gap: remote onboarding succeeds or fails on whether the identity source can be trusted at the required assurance level. AMLA’s recognition of eIDAS and the EUDI Wallet shows that digital verification is becoming a governed trust problem, not a channel problem. Teams will need to prove that remote identity sources are equivalent to in-person checks under defined conditions. Practitioners should treat that gap as a source-selection and assurance-design issue, not a user-experience issue.

The new AML regime increases the cost of weak auditability. If firms cannot show which identity source was used, what trigger caused enhanced due diligence, and when a review was last performed, they will struggle to defend their decisions during supervision. That is especially relevant for cross-border firms with inherited local workflows. Practitioners should expect audit-ready identity evidence to become a baseline requirement rather than an afterthought.

AMLA’s model will expose whether compliance teams have lifecycle control or only onboarding control. The article makes clear that existing customers can be remediated over time, but new relationships must comply from the 2027 application date. That creates an operational divide between intake and portfolio remediation. Practitioners should plan for lifecycle governance across both stages, not treat existing customers as a temporary exception.

For identity verification providers, harmonisation will reward controlled integration over ad hoc document capture. The draft standards point toward reusable identity evidence, standard assurance logic, and more explicit review criteria. That means providers will need to prove that their workflows can support regulated decisioning at scale. Practitioners should evaluate whether their systems are built for durable compliance evidence, not just fast onboarding.

What this signals

Verification trust gap: identity programmes will be judged less on whether they can collect data and more on whether they can justify the source, assurance, and retention of that data across the lifecycle. That makes evidence quality, not volume, the differentiator for regulated onboarding.

Firms with distributed KYC operations should expect harmonisation to expose weak handoffs between product, compliance, and operations. The organisations that do best will treat identity evidence as governed control data, not as a one-time intake artifact.

For teams aligning to NIST Cybersecurity Framework 2.0, the practical lesson is that identity verification belongs in governed protection and recovery processes, not just in customer onboarding workflows.


For practitioners

  • Run a gap analysis against the draft RTS and AMLR articles Compare current onboarding, beneficial ownership, and enhanced due diligence workflows against Articles 16 to 46 of Regulation (EU) 2024/1624, then document where local practice diverges from the harmonised model.
  • Validate digital identity acceptance criteria Check that your platform can consume eIDAS-compliant electronic identification, qualified electronic attestations of attributes, and EUDI Wallet credentials at the assurance level required for regulated onboarding.
  • Build lifecycle monitoring into KYC operations Tie periodic review schedules and dynamic EDD triggers to customer records so identity verification remains active after onboarding rather than ending at account creation.
  • Create an audit trail for readiness decisions Record policy decisions, technical gaps, remediation plans, and owner assignments so you can show regulators how the organisation prepared before July 2027.

Key takeaways

  • AMLA is standardising how identity evidence is collected, verified, and reviewed across the EU, which raises the bar for every KYC programme.
  • eIDAS and the EUDI Wallet shift remote onboarding toward governed digital identity assurance, but only if providers can prove trust and auditability.
  • The organisations that prepare now will be the ones able to show continuous, defensible due diligence when the 2027 rulebook takes effect.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST SP 800-63, NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, while GDPR define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST SP 800-63SP 800-63AThe article centres on identity proofing and remote verification assurance.
NIST CSF 2.0PR.AC-1Identity verification and access governance both depend on trustworthy credential assertions.
NIST SP 800-53 Rev 5IA-2Authentication and identity verification requirements align with regulated customer proofing.
GDPRArt. 5KYC and identity verification often involve personal data collection and retention.

Limit data collection to what is necessary and document retention, purpose, and accountability decisions.


Key terms

  • Customer Due Diligence: Customer due diligence is the process of identifying, verifying, and risk-rating a customer before and during a business relationship. In regulated environments it extends beyond onboarding, requiring ongoing review, beneficial ownership checks, and escalation when the customer profile changes.
  • eIDAS Compliant Electronic Identification: eIDAS-compliant electronic identification is a recognised digital identity method that meets EU assurance expectations for trusted remote verification. It provides a standardised basis for proving identity across borders, which helps reduce local interpretation differences in regulated onboarding.
  • Enhanced Due Diligence: Enhanced due diligence is the deeper set of checks applied when a customer, transaction, or relationship presents higher risk. It usually involves stronger source validation, more frequent review, and documented escalation so the organisation can explain why the higher-risk profile was accepted.
  • EUDI Wallet: The EUDI Wallet is a European digital identity capability designed to let people present verified attributes and credentials electronically. In AML and KYC settings it can become a controlled source of identity evidence, but only if firms define assurance, acceptance, and audit rules clearly.

What's in the full article

AU10TIX's full article covers the operational detail this post intentionally leaves for the source:

  • A line-by-line explanation of the draft AMLA RTS and how each article changes onboarding obligations.
  • The specific July 2026 and July 2027 sequencing that compliance teams need for programme planning.
  • Examples of which identity verification methods the standards accept for remote and in-person checks.
  • The article's practical guidance on aligning current KYC processes with the new EU rulebook.

👉 The full AU10TIX article explains the draft RTS, application timeline, and verification implications in more detail.

Deepen your knowledge

NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, IAM, and secrets management for practitioners who need a structured identity-security foundation. It is suitable for security and compliance professionals building stronger governance across identity programmes.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-06-29.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org